About software tester’s job. February 13, 2009
Posted by emeraldal in Software tester's job.Tags: software tester job
add a comment
Some people think that software tester’s work is very easy. Some people think that software tester’s work is not interesting. Some people think that software tester’s work is difficult and not for all. Some people don’t know at all what kind of profession software tester is.
That’s why I want to tell about a software tester job. However, I don’t want to repeat general information like What is a software testing? What is a bug? What types of testing are used? …
I want to tell about things that are kind of private, things that only testers know. What do testers really do? How do they do it? What responsibilities do they have? What qualities must have software tester to do the job perfectly ? What relationships do they have with developers ? And more…
Read in my next posts in this category. I’m about to write many interesting things here 
Security testing. SQL injection. February 12, 2009
Posted by emeraldal in Security testing.Tags: Security testing
add a comment
In this post I’ll say about SQL injection attack. What is it? How to find vulnerability to this type of attack? How to protect a web site from sql injection?
SQL injection attack – is a code injection technique that uses a security vulnerability of the database layer of an application. The vulnerability is present when programmers don’t verify data accepted from user.
How to test ?
1. Look on the site for a place where some parameters are passed in the url.
For example, http://site/test.php?id=12
2. Make a little change in the parameter. The simplest way – to add a quotation mark.
For example, http://site/test.php?id=12’
3. Execute.
If you’ve got something like:
«You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” ORDER BY p.pid DESC LIMIT 0, 20′ at line 12»
Hurray! You’ve found vulnerability on the site
PS: I wrote “Hurray!” for testers. Certainly, developers must be very unhappy with this result
In fact, that’s all. Surely, for hackers that will attack the site it is only the beginning. They’ll write complicated queries for getting data that are stored in the database. Finally they’ll get them and make with the site all that they want.
But for us – testers, sql injection vulnerability is enough to post a terrible bug and go ahead to do our job that is to find out what else to break.
Because we need so much to break
Security testing. Introduction. February 3, 2009
Posted by emeraldal in Security testing.Tags: Security testing
add a comment
There are lot of types of testing and many articles describing each type. However, among another types there is one type that isn’t described in details. At least I didn’t meet many articles about it. This is security testing.
As I noticed, testers pay little attention to security testing. But they make a big mistake, because one of the biggest problems that may happen with a web site or system it’s successful hacker’s attack. They can steal secret data (e.g. customers database), they can cause extensive damage to the site…it all may lead to the unhappy end of the site.
That’s why I want to share my knowledge and experience in security testing.
I’m going to give a short description of what security testing means and how it is performed (what exactly to be tested and how). In details I’ll tell about tools that are used for security testing, at least – about that ones what I use for my purposes.
So, what is security testing?
Security testing – is a procedure that means to determine security vulnerability of tested software. It consists in trying to perform attacks on the site to find weak places on it.
There are following most commonly used attacks:
- sql injection
- xss attack
- php including
- parameters substitution in the url
Actually, there are more types of attacks, but I can tell only about that ones what I know how to find out.
Read in the next posts more about each attack and how to detect possibility to perform such attack on the site.
